Addressing Security Challenges of Mobility and Web 2.0 2009

Addressing the security challenges
of two emerging technologies:
Mobility and Web2.0

Public Sector Information Security
Conference – 23 July 09, Sydney

1 www.senseofsecurity.com.au © Sense of Security 2009 Friday, July 24, 2009

Mobility & Access to Information: Agenda

• Business Drivers for Mobility & Web 2.0 Services
• Intro to Web 2.0 & Mobility
• Corporate Response – Permit or Deny
• Current trends & relevance
• Mobility Security Issues
• Web Application Security Issues
• Conclusion


Statistics

We are going to be talking a lot about current statistics

So I thought I would put this disclaimer in

DISCLAIMER

“42.7 percent of all statistics are made up on the spot."
--The Hon. W. Richard Walton, Sr.

…. But I believe I am using credible sources and it is all referenced


• Business Drivers for Mobility & Web 2.0 Services
• Conclusion


Business Drivers

Business needs for mobility and social networking/collaboration tools:
• Efficient access to information from remote locations
• Provide practical and reliable access to shared information
regardless of geographical location and/or time zone
• A desire to leverage contacts and content in more effective ways
• Flexible work location options help retain skilled staff
• Increase productivity levels in competitive markets
• Reduce operational costs- compelling ROI


People and Information

It's all about
giving

access to

securely!


• Market Drivers for Mobility & Web 2.0 Services
• Conclusion


What is Web 2.0?

Web 2.0 refers to today’s “second generation” of Web technologies
• includes AJAX, RSS feeds, online forums, and mashups.

In general Web 2.0 covers broader development trends:
• Rich Internet Applications (RIA): Feature rich web sites; mimic
thick client applications.
• Collaboration and Participation: Generating and sharing content in
real time; wikis, extranets, blogs, social networking sites, online
forums.
• Syndication: RSS or Atom feeds and mashups. Broadcasting of data.


What is Web 2.0?

"Web 2.0" refers to the second generation of web development and web
design. It is characterized as facilitating communication, information
sharing, interoperability, user-centered design and collaboration on the
World Wide Web. It has led to the development and evolution of web-
based communities, hosted services, and web applications. Examples
include social-networking sites, video-sharing sites, wikis, blogs,
mashups and folksonomies.
[Ref: Wikipedia]

In contrast to the static nature of Web 1.0, Web 2.0 systems rely
heavily upon user generated content. In fact, Web 2.0 has been
described as the “participatory Web.”
[Ref: Secure Enterprise 2.0 Forum, Top Web 2.0 Security Threats, 2009]


Look familiar?

Instant Messaging RSS
Social Networks

Tagging
Personalised Home Pages Widgets

[Source: Worklight]


Thousands already and growing daily


Show me the access!

So you provided the platform to share the
information, now how do I access it, use it and
store it?


Access required from everywhere


Forget about the cables


We need mobility, availability & storage


Instantaneous gratification

“96% of the time people have their cell phones
within 1 meter of them”
[Ref Tony Saigh, business development manager for mobile at Skype
http://www.cnet.com.au/skype-s-mobile-dreams-339285053.htm]



• Conclusion


The corporate response

The usual (corporate) response is a mixture between

… and complete


Being too restrictive?

Usually when access to information is
completely restricted, with the intention
of protecting the information, you don’t
derive the benefit from the available
technology and improved methods.

and this happens


People find a way around it anyway

Internet application usage has expanded dramatically—to the point where
virtually all corporations have employees using at least one such application:
survey results indicate that 97% of end-users now use one or more of these
Internet applications, up from 85% reported last year.
[The Collaborative Internet: Usage Trends, End User Attitudes and IT Impact. Facetime, Oct 2008]

Industry estimates state that 60% of corporate data resides on unprotected
PCs and laptops, 10% of laptops are lost or stolen in the first year of
purchase, and 66% of USB devices are lost or misplaced in their lifetimes
[Google, 2009. www.google.com/apps/intl/en/business/switch_benefits.html ]

A December 2007 survey conducted by the Ponemon Institute found that 4 out
of 10 employees reported losing a laptop, mobile phone, PDA, or flash drive
containing company data.
In that same study, more than half of employees report copying sensitive
information to flash drives, even though 87% of those companies had policies
prohibiting the practice.
[Survey of US IT Practitioners Reveals Data Security Policies Not Enforced,” Ponemon Institute, 2007]


Build it and they will come …
Some what connected people (Web 1.0) Who know they should be more
connected

So they get together to share
information and collaborate

Web 2.0



• Conclusion


Why should you care about Web 2.0?

Consumer (i.e. "Web 2.0") technologies are already finding their way into
the enterprise.
• Employees use (sanctioned and unsanctioned) consumer tools to
perform day-to-day business tasks
• Enterprise applications use consumer technologies to provide the
latest and greatest in usability and functionality
• Examples include: instant messaging, blogs, mashups, wikis

……..and Web Applications are the focus of attacks
• Web applications in general have become the Achilles heel of
Corporate IT Security.
• Nearly 55% of all vulnerability disclosures in 2008 affect Web
applications
• SQL injection jumped 134% and replaced cross-site scripting as the
predominant type of Web application vulnerability (several hundred
thousand per day at the end of 2008).
[Source: IBM]


It’s real

• 78% of IT organizations are concerned about the risks of employee-
driven, unsanctioned use of Web 2.0 tools and technologies
[Source: Forrester Research]

• 50% of respondents said they "customize their work environment
moderately or aggressively" (including the use of unsanctioned tools)
and will continue to do so.
[Source: Gartner Research poll]


So how much information is out there?

• 487,000,000,000 Gigabytes of Digital Content Today to Double
Every 18 Months (IDC, 19May09)
[http://www.infoniac.com/hi-tech/digital-content-today-to-double-every-18-months.html]

• 133,000,000 – number of blogs indexed by Technorati since 2002
• 900,000 – average number of blog posts in a 24 hour period
• 1,200,000,000 – number of YouTube videos viewed per day
(Techcrunch 9Jun09)
• 20 hours – amount of video are uploaded to YouTube every minute
(TechCrunch May09)
• 65,000 iPhone apps online; 1,500,000,000 downloaded and more
than 100,000 developers (MX News, July 15)

[Ref: http://thefuturebuzz.com/2009/01/12/social-media-web-20-internet-numbers-stats/]


So some adopt it


And sometimes things go wrong

HORRIBLY
WRONG


Sensitive information published online

http://laurelpapworth.com/facebook-mi6-
wifes-photos/


And even the technologists are affected

A Must Read: http://www.techcrunch.com/2009/07/19/the-anatomy-of-
the-twitter-attack/

Data copied to mobile devices and lost

http://blog.absolute.com/category/security-breach/


Mobile Malware

[Ref: http://www.arnnet.com.au/article/311467/analysts_see_alarming_development_mobile_malware?eid=-217]


• Conclusion


And why does it happen? Mobility

Adoption of mobility solutions requires enterprise security to be
extended BEYOND the enterprise perimeter.

• There is no corporate policy
• The backdoor is left open with USB keys.
• The side entrance door is left open with the wireless network.
• Information is published (read LEAKED) to
blogs/collaboration/info sharing sites.
• Laptops, removable media, mobile phones store vast amounts of
sensitive data and are still seldom encrypted.
• Data in transit is seldom encrypted.
• Poor (if any) authentication to corporate data for mobile users.


5 Steps to Mobility Security

Policy
• Create a policy that covers the device lifecycle, from
selection to recovery.
Data In Motion
• Encrypt all data over mobile and WiFi networks. Use VPN
clients or application layer encryption.
Data at Rest
• Encrypt data stored on device. Manage cached data with
3rd party software and passwords.
Malware Protection
• Protect against malware with policy (Bluetooth,
downloads) and technology (anti-malware SW).
Authentication
• Require user authentication at points required for
acceptable risk/aggravation.
[Ref: Opus1, Five Steps To Securing Mobile Devices, 2008]



• Conclusion


And why does it happen? Web Collaboration

Social:
• Too much personal information online
• Very grey lines about what is private
• Changes with demographic

Result:
• Easier social engineering attacks...
• Sensitive information inadvertently published (MI6 example
shown earlier)


Credentials are gold

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material."


So they can

Take your money ….

Or sell your data to make
money ….


TMI: Too Much Information

Snapshot study: Mint (www.mint.com)
• An online free web application helping users with managing their
money and budgeting
• Downloads, categorises, and graphs all of your finances
automatically every day
• Users are required to supply their account credentials including pins
and passwords (Read only access for analysis only)
• Over 1 million users (Jul 2009)
• Adding over 3,000 users every day
• Connects to more than 7,500 US financial institutions
• Mobile Access – Mint for iPhone
• Mint does not offer terms and conditions that guarantee anything.
You provide them with Power of Attorney. You indemnify them
against all claims. Mint is not responsible or liable to you.


Mint continued …

• The usernames and passwords you use to access your online financial
accounts are not viewable by Mint.com employees or contractors.
• This information is collected from you one time only in order to establish
a persistent connection to your financial institutions.
• Your credentials are encrypted and securely passed to our online service
providers who maintain them in order to deliver your transactional data
to the Mint service.
• The information is never stored on the Mint.com site
BUT
• On their own forum site they selectively answer questions
• Ask any question as long as they have a marketing style answer for it
• Some serious posts about viewing someone else’s account information
ignored

Sounds like a good idea but perhaps not quite there yet


“Remember Me” functionality

Impact: Increases
the possibility of
cross-site
scripting &
similar session
hijacking attacks

"Reproduced with permission. Please visit www.SecurityCartoon.com for more material."


Password Security $%^@!@#$@#$

• Many applications limit password length and complexity!

• So even if users try to adopt good password measures they
can’t.

• This forces the user to be insecure.


SSL

• Why do so many sites not enforce SSL Logon?

• Even if SSL Logon is enforced – may still succumb to
threats.
Ref SSLStrip tool. Redirects through ARP Spoof and
creates a MITM attack.

• Always check server certificate.


Web 2.0 Security Trends

According to a recent report based on analysis of recent “web hacking
incidents of importance” it is concluded that :
• Web 2.0 services and sites lead the list with highest number of
all recorded incidents (21%).

• Most popular attack vectors exploiting Web 2.0 features are SQL
injection (21% of attacks) and Authentication abuse (18%). A new
emerging threat is Cross Site Request Forgery (CSRF) that
currently ranks as the 6th most popular attack vector with 8% of
the reported attacks.

• Leakage of sensitive information remains the most common
outcome of web hacks (29%), while disinformation follows with
26%, mostly due to hacking of online identities of celebrities.
[Ref: Secure Enterprise 2.0 Forum; WEB 2.0 HACKING INCIDENTS & TRENDS 2009 Q1]


Web 2.0 is different but still the same



Who is being attacked?

Speaker's Note: Sample size unknown. This sample may not
accurately represent the Australian landscape.



What is motivation/outcome of attack?



Key steps to web application security
If Developing
• Develop Securely. Use Secure Coding Guidelines. Ref
OWASP
• Run Vulnerability Management Lifecycle Program.
Complement with frequent penetration tests.
If using 3rd party
• Review security measures in place.
• Understand how your information is secured.
• Review and understand T&C’s of the service.
Firewalling
• Use Web Application Firewalls and Application/Protocol
firewalls.
• Traditional network firewalls over no protection.
Engage with experts
• Understand threat landscape.
• Perform technical and business aligned security reviews


• Conclusion


Summary

• Web 2.0 is both a set of technologies as well as a new set of
consumer behaviours.
• The interactive internet is growing daily and here to stay.
• Those who do not adopt these emerging technologies will eventually
be left behind.
• Attacks against web applications are on the increase. Protect
yourself against all attack vectors. Review web applications
frequently.
• Data Loss will continue to plague organisations. Know where and
what your data is and encrypt it in motion and at rest.
• Effective mobility solutions are required to deliver cross platform,
multi vector access to web applications.
• You can find the balance between and


Thank You

Thank You
Murray Goldschmidt – General Manager
Sense of Security Pty Ltd
Tel: +61 2 9290 4444
info@senseofsecurity.com.au
www.senseofsecurity.com.au

Sense of Security is an endorsed supplier to the
NSW Government ICT Services Panel (2020) for Whole of Government


Addressing Security Challenges of Mobility and Web 2.0 2009

Recommended

More Related Content

Viewers also liked

Viewers also liked (7)

Similar to Addressing Security Challenges of Mobility and Web 2.0 2009

Similar to Addressing Security Challenges of Mobility and Web 2.0 2009 (20)

More from Jason Edelstein

More from Jason Edelstein (8)

Recently uploaded

Recently uploaded (20)

Addressing Security Challenges of Mobility and Web 2.0 2009